The Information Commissioner’s Office (ICO) has reprimanded the Department for Education (DfE) due to the misuse of personal information related to 28m children.
The DfE had allowed Trust Systems Software, which traded as Trustopia, to share information from the learning records service (LRS) database for age-related screening services provided to online gambling operators.
The LRS database maintains British pupils’ academic records, with its access restricted to qualified education providers.
An ICO investigation found that the “DfE had continued to grant Trustopia access to the database when it advised the department that it was the new trading name for Edududes Ltd, which had been a training provider.”
Trustopia, which was dissolved prior to the investigation, distributed information from the database to companies such as GB Group, who helped gambling operators verify that customers were over 18.
The LRS database has personal information of up to 28 million children and young people from the age of 14. The database records full name, data of birth, and gender, with optional fields for email address and nationality
The ICO stated that the misuse of information is against the data protection law, “as data shared was not being used for its original purpose.”
To the embarrassment of the DfE, its management became aware of the breach due to an expose in a Sunday newspaper.
UK Information Commissioner, John Edwards, said; “This was a serious breach of the law, and one that would have warranted a £10 million fine in this specific case.
“I have taken the decision not to issue that fine, as any money paid in fines is returned to the government, and so the impact would have been minimal.”
“But that should not detract from how serious the errors we have highlighted were, nor how urgently they needed addressing by the Department for Education.”
The ICO reported that Trustopia had access to the LRS database from September 2018 to January 2020 and that it had carried out searches on 22,000 learners for age verification purposes.
Since the breach, the DfE has removed access to the LRS database from 2,600 organisations, undertaking tougher monitoring of its systems and data searches.
The reprimand has ordered the DfE to set out clear measures on requirements needed to improve their data protection practices so children’s data is properly looked after.
Commissioner Edwards concluded; “Our investigation found that the processes put in place by the Department for Education were woeful. Data was being misused, and the Department was unaware there was even a problem until a national newspaper informed them.”
“We all have an absolute right to expect that our central government departments treat the data they hold on us with the utmost respect and security. Even more so when it comes to the information of 28m children.”